Covid 19 Test Lab: Insufficient technical and organisational measures to ensure information security

The Austrian DPA has imposed a fine of EUR 100,000 on a Covid 19 test lab. The controller failed to implement sufficient technical and organisational measures, resulting in a data breach. Furthermore, the controller refused to inform the data subjects of the breach. The DPA also found that the controller processed certain data without a sufficient legal basis, used a processor without the necessary contract, failed to designate a suitable DPO, and failed to report the designation to the DPA.

GDPR Articles: Art. 9 GDPR, Art. 5 (1) f) GDPR, Art. 28 (3) GDPR, Art. 32 GDPR, Art. 34 GDPR
Industry: Health Care